httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 53193] New: SLVerifyClient optional_no_ca + SSLSessionCache = wrong SSL_CLIENT_VERIFY
Date Fri, 04 May 2012 11:56:04 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=53193

          Priority: P2
            Bug ID: 53193
          Assignee: bugs@httpd.apache.org
           Summary: SLVerifyClient optional_no_ca + SSLSessionCache =
                    wrong SSL_CLIENT_VERIFY
          Severity: normal
    Classification: Unclassified
                OS: FreeBSD
          Reporter: tomefrom@list.ru
          Hardware: PC
            Status: NEW
           Version: 2.5-HEAD
         Component: mod_ssl
           Product: Apache httpd-2

If I use "SSLVerifyClient optional_no_ca" and SSLSessionCache (with any type of
cache, for example "dbm:/var/run/httpd/ssl_scache"), "SSLSessionCacheTimeout
300", from time to time in the CGI environment (I refresh web-page within 1-2
minutes ) I see SSL_CLIENT_VERIFY=SUCCESS, in spite of the client sertifacate
in web-browser signed not by the SSLCACertificateFile. It occurs when using
Opera browser, because opara provides a selection of client sertificate to
authentificate. At the same time possibly other clients works with another
virtualhost using valid sertificate (virtualhost works on different port). Even
all another ssl-virtualhost was removed and only I accessed the virtualhost
with wrong sertificate, the situation is repeated. When I set SSLSessionCache
to none, SSL_CLIENT_VERIFY=GENEROUS always. 


 At the same time in log ( when SSL_CLIENT_VERIFY=SUCCESS with wrong
sertificate):
10:10:52[debug] ssl_engine_kernel.c(1732): Inter-Process Session Cache:
request=GET status=FOUND
id=F1FF0E51D83D2BACDFBE4EEE8A348687D402C42BC2CA450E24608375CB82FFB8 (session
reuse)
10:10:52 [info] [client 172.16.70.220] SSL client authentication failed,
accepting certificate based on SSLVerifyClient optional_no_ca configuration
10:10:52 [debug] ssl_engine_io.c(1897): OpenSSL: read 5/5 bytes from
BIO#2bf45300 [mem: 2bfa9000] (BIO dump follows)
10:10:52 [info] Initial (No.1) HTTPS request received for child 71 (server
test:443)

10:10:57 [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to
read on BIO#2bf45300 [mem: 2bfa9000]
04 10:10:57 [info] [client 172.16.70.220] (70007)The timeout specified has
expired: SSL input filter read failed.
04 10:10:57 [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation
finished successfully
04 10:10:57 [info] [client 172.16.70.220] Connection closed to child 97 with
standard shutdown (server test:443)
04 10:10:57 [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected
to read on BIO#2bf45300 [mem: 2bfa9000]
10:10:57 [info] [client 172.16.70.220] (70007)The timeout specified has
expired: SSL input filter read failed.
04 10:10:57 [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation
finished successfully
04 10:10:57 [info] [client 172.16.70.220] Connection closed to child 71 with
standard shutdown (server test:443)

-- 
You are receiving this mail because:
You are the assignee for the bug.

Mime
View raw message